neutron

Snat namespace misses iptables rules for floating ip.

Bug #1735866 reported by sunzuohua
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Swaminathan Vasudevan

Bug Description

The l3 agent mode is as follows:
    Network:dvr_snat
    Compute:dvr_no_external
1.Create a DVR. Then add interface and gateway to the DVR.
2.Create a vm and associate a floating ip to the vm.
3.Check snat ns on network nodes for the DVR.
4.the following iptables rule is missed in the snat namespace:
"-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat"

This results in that snat rules will work instead of floating ip when accessing to the internet.

Adding following code at [1] can fix this:

self.snat_iptables_manager.ipv4['nat'].add_rule('snat',
                                                            '-j $float-snat')

[1]https://github.com/openstack/neutron/blob/master/neutron/agent/l3/dvr_edge_router.py#L197

See original description
sunzuohua (zuohuasun)
Changed in fuel-plugin-contrail:
assignee: nobody → sunzuohua (zuohuasun)
sunzuohua (zuohuasun)
affects: fuel-plugin-contrail → neutron
Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

Did you check the fipnamespace.
The float-snat chain should be there in the fipnamespace.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

As per Swami's comment, report is incomplete.

Changed in neutron:
status: New → Incomplete
assignee: sunzuohua (zuohuasun) → nobody
tags: added: l3-ipam-dhcp
Revision history for this message
sunzuohua (zuohuasun) wrote :

@Swaminathan Vasudevan, sorry, I did not describe clearly.
L3 agents on compute nodes is configured as "dvr_no_external" mode, so floating ips are in the snat namespace and the float-snat chain should be needed in the snat namespace.

sunzuohua (zuohuasun)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/526995

Changed in neutron:
assignee: nobody → sunzuohua (zuohuasun)
status: Incomplete → In Progress
Swaminathan Vasudevan (swaminathan-vasudevan)
tags: added: l3-dvr-backlog
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: sunzuohua (zuohuasun) → Swaminathan Vasudevan (swaminathan-vasudevan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/526995
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3
Submitter: Zuul
Branch: master

commit 0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3
Author: zhsun <email address hidden>
Date: Mon Dec 11 14:17:33 2017 +0800

    Add missing iptable rule in snat ns for centralized fips.

    The following iptable rule should be added to snat ns:
    "-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat",
    or the snat rule will take effect instead of centralized fips
    when accessing to the outside for vms.
    Closes-Bug: #1735866

    Change-Id: I286283bfb4dbf935a34c5919ee0af5225e75fac9

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/533316

Swaminathan Vasudevan (swaminathan-vasudevan)
tags: added: pike-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/533316
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=27c58c6cf0e02916c862c25a9c0317306001d1e4
Submitter: Zuul
Branch: stable/pike

commit 27c58c6cf0e02916c862c25a9c0317306001d1e4
Author: zhsun <email address hidden>
Date: Mon Dec 11 14:17:33 2017 +0800

    Add missing iptable rule in snat ns for centralized fips.

    The following iptable rule should be added to snat ns:
    "-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat",
    or the snat rule will take effect instead of centralized fips
    when accessing to the outside for vms.
    Closes-Bug: #1735866

    Change-Id: I286283bfb4dbf935a34c5919ee0af5225e75fac9
    (cherry picked from commit 0f08b2c625d9158e7dce80ff2d01ffd273e0d9c3)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b3

This issue was fixed in the openstack/neutron 12.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.3

This issue was fixed in the openstack/neutron 11.0.3 release.

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Brian Haley (brian-haley)
tags: removed: neutron-proactive-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.